NotesController: Double-check that req.user is defined

TokenAuthGuard ensures that req.user is always
defined, but thanks to strict mode we have to check again.

In the future, we may add a custom Request type and
a custom param decorator to centralize the check.

Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2021-04-29 18:12:20 +02:00
parent 0a8dd454ab
commit b962e8390a
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3

View file

@ -12,6 +12,7 @@ import {
Get, Get,
Header, Header,
HttpCode, HttpCode,
InternalServerErrorException,
NotFoundException, NotFoundException,
Param, Param,
Post, Post,
@ -88,6 +89,10 @@ export class NotesController {
@Req() req: Request, @Req() req: Request,
@MarkdownBody() text: string, @MarkdownBody() text: string,
): Promise<NoteDto> { ): Promise<NoteDto> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
// ToDo: provide user for createNoteDto // ToDo: provide user for createNoteDto
if (!this.permissionsService.mayCreate(req.user)) { if (!this.permissionsService.mayCreate(req.user)) {
throw new UnauthorizedException('Creating note denied!'); throw new UnauthorizedException('Creating note denied!');
@ -111,6 +116,10 @@ export class NotesController {
@Req() req: Request, @Req() req: Request,
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
): Promise<NoteDto> { ): Promise<NoteDto> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
let note: Note; let note: Note;
try { try {
note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
@ -144,6 +153,10 @@ export class NotesController {
@Param('noteAlias') noteAlias: string, @Param('noteAlias') noteAlias: string,
@MarkdownBody() text: string, @MarkdownBody() text: string,
): Promise<NoteDto> { ): Promise<NoteDto> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
if (!this.permissionsService.mayCreate(req.user)) { if (!this.permissionsService.mayCreate(req.user)) {
throw new UnauthorizedException('Creating note denied!'); throw new UnauthorizedException('Creating note denied!');
} }
@ -175,6 +188,10 @@ export class NotesController {
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
@Body() noteMediaDeletionDto: NoteMediaDeletionDto, @Body() noteMediaDeletionDto: NoteMediaDeletionDto,
): Promise<void> { ): Promise<void> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
try { try {
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
if (!this.permissionsService.isOwner(req.user, note)) { if (!this.permissionsService.isOwner(req.user, note)) {
@ -217,6 +234,10 @@ export class NotesController {
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
@MarkdownBody() text: string, @MarkdownBody() text: string,
): Promise<NoteDto> { ): Promise<NoteDto> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
try { try {
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
if (!this.permissionsService.mayWrite(req.user, note)) { if (!this.permissionsService.mayWrite(req.user, note)) {
@ -251,6 +272,10 @@ export class NotesController {
@Req() req: Request, @Req() req: Request,
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
): Promise<string> { ): Promise<string> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
try { try {
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
if (!this.permissionsService.mayRead(req.user, note)) { if (!this.permissionsService.mayRead(req.user, note)) {
@ -281,6 +306,10 @@ export class NotesController {
@Req() req: Request, @Req() req: Request,
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
): Promise<NoteMetadataDto> { ): Promise<NoteMetadataDto> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
try { try {
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
if (!this.permissionsService.mayRead(req.user, note)) { if (!this.permissionsService.mayRead(req.user, note)) {
@ -315,6 +344,10 @@ export class NotesController {
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
@Body() updateDto: NotePermissionsUpdateDto, @Body() updateDto: NotePermissionsUpdateDto,
): Promise<NotePermissionsDto> { ): Promise<NotePermissionsDto> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
try { try {
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
if (!this.permissionsService.isOwner(req.user, note)) { if (!this.permissionsService.isOwner(req.user, note)) {
@ -348,6 +381,10 @@ export class NotesController {
@Req() req: Request, @Req() req: Request,
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
): Promise<RevisionMetadataDto[]> { ): Promise<RevisionMetadataDto[]> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
try { try {
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
if (!this.permissionsService.mayRead(req.user, note)) { if (!this.permissionsService.mayRead(req.user, note)) {
@ -384,6 +421,10 @@ export class NotesController {
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
@Param('revisionId') revisionId: number, @Param('revisionId') revisionId: number,
): Promise<RevisionDto> { ): Promise<RevisionDto> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
try { try {
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
if (!this.permissionsService.mayRead(req.user, note)) { if (!this.permissionsService.mayRead(req.user, note)) {
@ -415,6 +456,10 @@ export class NotesController {
@Req() req: Request, @Req() req: Request,
@Param('noteIdOrAlias') noteIdOrAlias: string, @Param('noteIdOrAlias') noteIdOrAlias: string,
): Promise<MediaUploadDto[]> { ): Promise<MediaUploadDto[]> {
if (!req.user) {
// We should never reach this, as the TokenAuthGuard handles missing user info
throw new InternalServerErrorException('Request did not specify user');
}
try { try {
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias); const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
if (!this.permissionsService.mayRead(req.user, note)) { if (!this.permissionsService.mayRead(req.user, note)) {